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CLAIMS 

What is claimed is: 
5 / 1. A method of examining a network, including: 

/ identifying an operating system of a remote host, including a version and 

a patch level of the operating system; 

identifying a service of the remote host, including a version and a patch 
level of the serviae; and 
10 identifying\a vulnerability of the network based on information obtained 

from the steps of identifying an operating system and identifying a service. 

2. The method of claim 1, wherein: 

the step of identifying an operating system includes sending a first set of 
1 5 packets to the remote host and receiving a second set of packets from the remote 

host in response to said first set of packets; 

the step of identifying a service includes sending a third set of packets to 
the remote host and receiving a fourth set of packets from the remote host in 
response to said third set of packets, wherein information contained in said third 
20 set of packets is based on information received in said second set of packets; 
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tneistep of identifying a vulnerability includes comparing information 
contained in the second set of packets and the fourth set of packets to preexisting 
information in a database. 

5 3 . The method of claim 1 , wherein the step of identifying an operating system 

includes sending three sets of packets to the remote host and receiving three 
respective sets off responsive packets from the remote host. 

4. A method jpf examining a network, including: 
1 0 nonintrusivjely and reliably identifying an operating system of a remote host 

including identifying a version of the operating system; 

nonintrusively and reliably identifying a service of the remote host 
including identifying a version of the service. 

15 5. The method 4>f claim 4, further including: 

identifying a vulnerability of the network. 



20 



6. The method oflclaim 4, further including: 
identifying a trqjan application on the host. 
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7. The methc d of claim 4 y further including: 
identifying unauthorized software use on the host. 

8. The method of claim 4, further including: 
identifying security policy violations on the network. 



10 



9. 



The njjethofl of claim 4, wherein: 
the step of Identifying an operating system further includes identifying a 
patch level of the operating system; 

the step of identifying a service further includes identifying a patch level 
of the service. 



15 



10. The method bf claim 4, wherein the steps of identifying an operating 
system and identifying a service each includes: 

sending a selected packet to the remote host; 

receiving from the remote host a reflexive responsive packet. 
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11. The mejhod of claim 4, wherein the steps of identifying an operating 
system and identifying a service each includes: 

sending i plurality of selected packets to the remote host; 

receivingtfrom the remote host a plurality of reflexive responsive packets. 



10 



12. The methop of claim 4, wherein: 

the step of identifying an operating system includes sending a first set of 
packets to the remote host and receiving a second set of packets from the remote 
host in response to said first set of packets; 

the step of ideraifying a service includes sending a third set of packets to 
the remote host and receiving a fourth set of packets from the remote host in 
response to said third seA of packets. 



15 



13. A method of examining a network, including: 

identifying an operating system of a remote host including identifying a 
version of the operating system; 

identifying a service o^the remote host including identifying a version of 
the service; and 

identifying a vulnerability of the network. 



20 
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14. The mfethod of claim 13, wherein: 

the sten of identifying a vulnerability includes using information obtained 
from the steps ©f identifying an operating system and identifying a service to 
identify the vulnerability. 



10 



15. The methoti of claim 13, wherein: 

the step of identifying an operating system further includes identifying a 
patch level of the operating system; 

the step of identifying a service includes identifying a patch level of the 

service. 



15 



16. The method on claim 13, wherein the steps of identifying an operating 
system, identifying a service, and identifying a vulnerability each includes: 

sending a selected packet to the remote host; 

receiving from trie remote host a reflexive responsive packet. 



20 



17. The method of claim 13, wherein: 

the step of identifying an operating system includes sending a first set of 
packets to the remote host and receiving a second set of packets from the remote 
host in response to said first ast of packets; 
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the step of identifying a service includes sending a third set of packets to 
the remote host and receiving a fourth set of packets from the remote host in 
response to said third set of packets; 

the step ctf identifying a vulnerability includes comparing information 
5 contained in the second set of packets and the fourth set of packets to information 

in a database. 

18. The method Af claim 17, wherein: 

information contained in said third set of packets is based on information 
10 received in said second set of packets; 

information contained in said fifth set of packets is based on information 
received in said fourth set of packets. 



15 



19. A method of examining a network, including: 

sending a set of selected packets to a host on the network; 
receiving from the r&mote host a set of reflexive responsive packets; 
identifying conditions of the remote host by using information received in 

the reflexive responsive packets, wherein the conditions include an operating 

system of the host, and a service of the host. 



20 
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20. The method of claim 19, wherein the conditions further include a 
vulnerability of the post. 

21. The method of claim 19, wherein the conditions further include the 
presence of unauthorized software. 

22. The method of claim 19, wherein the conditions include the presence of a 
trojan application. I 

23. The method of claim 19, wherein: 

identifying an operating system includes identifying a version; 
identifying a service includes identifying a version. 

24. The method of claim 19, wherein: 

identifying an operating system includes identifying a version and a patch 
level; \ 

identifying a service includes identifying a version and a patch level. 
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25. The method of claim 19, wherein 

the step of sending a set of selected packets to a host on the network 
includes sending a plurality of sets of packets to the host; 

the step\of receiving from the remote host a set of reflexive responsive 
5 packets includes receiving a like plurality of sets of reflexive responsive packets. 

26. A method of detecting a vulnerability of a network, comprising: 
sending a first set of selected packets to a host on the network; 
receiving a second set of packets from the remote host in response to the 

10 first set of packets; \ 

sending a third set of selected packets to a host on the network, wherein 
information contained in the third set of packets is based on information contained 
in the second set of padkets; 

receiving a fourth set of packets from the remote host in response to the 
1 5 third set of packets; \ 

sending a fifth setlof selected packets to a host on the network, wherein 
information contained in the fifth set of packets is based on information contained 
in the fourth set of packets 

receiving a sixth sel of packets from the remote host in response to the 
20 fifth set of packets; \ 
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based on mformation contained in the second, fourth, and sixth set of 
packets, identifying an operating system of a host on the network, including a 
version and a patchUevel. 

5 27. The method of claim 26, further including: 

sending a seventh set of selected packets to a host on the network; 
receiving an eighth set of packets from the remote host in response to the 
seventh set of packets;! 

sending a ninth bet of selected packets to a host on the network; 
10 receiving a tenth set of packets from the remote host in response to the 

ninth set of packets; I 

based on information contained in the eight and tenth sets of packets, 
identifying a service of auiost on the network, including a version and a patch 
level. \ 

27, further including: 

contained in at least the tenth sequence, identifying 



15 



28. The method of clair 
based on informatioil 
a vulnerability. 



20 
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29. The method onclaim 26, wherein: 
the first set of Jackets includes: 

a S YN P^fcket with false flag in the TCP option header; 

a Fragmented UDP packet with malformed header (any header 
inconsistency is sufficient), where the packet is 8K in size; 

a FIN Packefe of a selected variable size or a FIN packet without 
the ACK or SYN flag properly set; 

a generic, welllformed ICMP ECHO request packet; 
the third set of packets includes: 

a generic well-formed TCP Header set to 1024 bytes in size; 

a Packet requesting an ICMP Timestamp; 

a Packet with njin/max segment size set to a selected variable 

value; 

a UDP packet with the fragment bit set; 
the fifth set of packets includes: 

a TCP Packet wii h the header and options set incorrectly; 
a well-formed IC v4P Packet; 

: ? or UDP packet; 
mpty TCP window or a window set to zero; 



a Fragmented TC 
a packet with an € 



20 



a generic TCP Paqket with 8K of random data; 
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a SYN Packet with ACK and RST flags set. 



10 



15 



30. A method of examining a network, comprising: 
sending a plurality oflpackets to a network; 

receiving a responsiv^plurality of packets from the network; 
comparing informatior^in the responsive packets to information stored in 
a database; 

based on the comparison, identifying a plurality of network conditions, 
including a vulnerability of the network. 

31. A method of examining a network, comprising: 
sending packets to a netkvork; 
receiving responsive packets from the network; 

comparing information ii| the responsive packets to information stored in 
a database; 

based on the comparison, (identifying a trojan application on the network. 



20 



32. A method of examining alnetwork, comprising: 
sending packets to a network; 
receiving responsive packets from the network; 
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comparing information in the responsive packets to information stored in 
a database; \ 

based on\ the comparison, identifying unauthorized software use on the 
network. \ 
5 \ 

33. A method of examining a network, comprising: 
sending pacwets to a network; 

receiving responsive packets from the network; 

comparing information in the responsive packets to information stored in 
10 a database; \ 

based on the comparison, inferring an unknown vulnerability. 

34. A method of examining a network, comprising: 
sending packets tp a network; 

1 5 receiving responsive packets from the network; 

comparing information in the responsive packets to information stored in 
a database; \ 

based on the comparison, identifying a security policy violation. 



20 



Attorney Docket No. :HVWD 1 00 1 USOMEM/SBS 
sbs/hvwd/ 1 00 1 /l 00 1 usO.OO 1 



15 



-43 - 

35. A system for examining a network, comprising: 
a database including a set of reflex signatures; 
a packet generator; 

a compa^json unit in communication with the packet generator and the 
database; 

wherein thh packet generator is designed to generate and transmit a 
plurality of test packets to the network; 

wherein the comparison unit is designed to receive responsive packets 
from the network andl to compare responsive packet information with the reflex 



10 signatures. 



36. The system of claim 35, wherein the comparison unit is further designed 
to identify a vulnerability in the network based on its comparison of packet 
information with reflex signatures. 

37. The system of claim 35, wherein the comparison unit is further designed 
to identify an operating system type, version, and patch level and a service type, 
version, and patch level of alhost on the network. 
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38. The system of claim 35, wherein the comparison unit is designed to 
provide information to the packet generator, and wherein the packet generator is 
designed to use the information to selectively generate packets. 

5 39. A computer readable medium, having instructions stored therein, which, 

when executed by a\ computer, causes the computer to perform the steps of: 

identifying an operating system of a remote host, including aversion of the 
operating system; 1 

identifying a service on the port and a service of the remote host, including 
10 a version of the service; and 

identifying a vulnerability of the network based on information obtained 
from the steps of identifying an operating system and identifying a service. 

40. The computer readable medium of claim 39, wherein: 
15 the instructions ibr identifying an operating system further include 

instructions for identifying a patch level of the operating system; and 

the instructions foi identifying a service further include instructions for 
identifying a patch level of the service. 



20 
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41. The computer readable medium of claim 39, wherein: 

the step of identifying an operating system includes sending a first set of 
packets to the remote most and receiving a second set of packets from the remote 
host in response to said first set of packets; 
5 the step of identifying a service includes sending a third set of packets to 

the remote host and receiving a fourth set of packets from the remote host in 
response to said third settof packets, wherein information contained in said third 
set of packets is based on unformation received in said second set of packets; 

the step of identifying a vulnerability includes comparing information 
10 contained in the second sequence of packets and the fourth sequence of packets 

to information in a database.! 

42. A method for use by attiost on a network, comprising: 
receiving a set of selected packets from remote equipment; 

1 5 automatically sending a second set of packets to said remote equipment, 

which packets include information that enables the remote equipment to identify 
a vulnerability on the network. 1 

43. A method for use by a host on a network, comprising: 
20 receiving a first set of packets from remote equipment; 
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automatically sending a second set of packets to said remote equipment; 
receiving avthird set of packets from the remote equipment; 
automatically sending a fourth set of packets to the remote equipment; 
receiving a fifth set of packets from the remote equipment; 
automatically! sending a sixth set of packets from the remote equipment; 
receiving a seventh set of packets from the remote equipment; 



automatically j e 
receiving a nin 



that enables the remote 
including a version anc 



nding an eighth set of packets from the remote equipment; 
1 set of packets from the remote equipment; 
automatically sjending a tenth set of packets from the remote equipment; 
10 wherein said sebond, fourth, and sixth sets of packets include information 

equipment to identify an operating system on the network, 
a patch level; 

wherein said eighth and tenth sets of packets include information that 
enables the remote equipment to identify a service, including a version and a patch 
15 level. 
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